httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Rossi" <dan...@electroteque.org>
Subject RE: [users@httpd] RE: ssl pass phrase dialog on startup
Date Mon, 18 Nov 2002 10:48:05 GMT
so regarding my last question , can ssl be setup as i have made it on
virtualhosts or do i need a seperate ip for each ssl site ?

-----Original Message-----
From: Boyle Owen [mailto:Owen.Boyle@swx.com]
Sent: Monday, November 18, 2002 8:58 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup


Use the passphrase by all means, if you think it is necessary. The
downside is that a passphrase-knower has to be on 24-hr callout and the
response time for getting the server back up depends on getting that guy
to the keyboard. For the dubious security gain it provides (practically
none), I don't think it's worth the hassle.

As regards vulnerability via backups - I wouldn't backup
/usr/local/apache/conf/ssl.key. If you want a copy of the key, keep it
on a floppy in a safe.

The "corrupt employee" scam beats any security scheme you can think of,
including the floppy-in-a-safe. The only really, really secure scheme I
can think of is dual-key - but Richard Prior got round even that in
Superman 3 :-)

>-----Original Message-----
>From: Howarth, Richard [mailto:rhowarth@sgb.co.uk]
>Sent: Montag, 18. November 2002 10:48
>To: 'users@httpd.apache.org'
>Subject: RE: [users@httpd] RE: ssl pass phrase dialog on startup
>
>
>> Having said that, my personal opinion is that there not much point to
>> the passphrase - an SSL server should be highly secure
>> anyway, with the
>> cert readable only by root so theft of the cert should be as
>difficult
>> as finding out the passphrase - i.e. anyone who can copy the
>> cert has to
>> have root privilege and so would know the passphrase anyway.
>
>Or it can be as easy as obtaining a backup -  either by theft, careless
>handling of backup media or simply making an offer to a lowly
>paid operator
>that they can't refuse.  The certificate can then be restored and used
>without recourse to root privilege.
>
>Once it is out in the wild, you have lost it.
>
>> I think the
>> safest way to run is without passphrase but with a highly secure
>> webserver.
>
>The passphrase is another layer in the security onion.
>Whether or not you
>should be using it will depend upon the nature of your
>business, your local
>data protection laws and what the people who audit your
>company accounts and
>practices think.
>
>For private use and small business it may not be an issue, but in an
>increasingly litigious world it is worth thinking twice before making
>yourself culpable by willfully failing to implement or circumventing a
>security feature.
>
>Richard.
>
>
>IMPORTANT INFORMATION & CONFIDENTIALITY NOTICE
>
>The information in this Email is confidential and may be
>legally privileged.
>It is intended solely for the
>named recipient.  Access to this e-mail by anyone else is
>unauthorised.  If
>you are not the intended recipient
>or the employee or agent responsible for delivering the message to the
>recipient named, please note that any
>use, disclosure, copying, distribution of this Email or any
>action taken or
>omitted to be taken in reliance
>on it is prohibited.  If you are not the intended recipient,
>please inform
>us by returning a copy of the
>Email with the subject line marked "wrong address" and then
>deleting the
>Email, and any attachments and any
>copies of it.
>
>Any questions should be directed to mailto:administrator@harsco.com
>
>Harsco uses regularly updated anti-virus software in an
>attempt to reduce
>the possibility of infection.
>However we do not guarantee that any attachments to this email
>are virus
>free.
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message